1 .TH controller 8 "May 2008" "OpenFlow" "OpenFlow Manual"
4 controller \- simple OpenFlow controller reference implementation
8 [\fIoptions\fR] \fImethod\fR \fB[\fImethod\fR]\&...
11 A sample OpenFlow controller which functions as an L2 MAC-learning
12 switch or hub. \fBcontroller\fR can manage a remote datapath through
13 a secure channel (see \fBsecchan(8)\fR). It can also connect directly
14 to a local datapath via Netlink.
16 \fBcontroller\fR controls one or more OpenFlow switches, specified as
17 one or more of the following OpenFlow connection methods:
20 \fBpssl:\fR[\fIport\fR]
21 Listens for SSL connections from remote OpenFlow switches on
22 \fIport\fR (default: 976). The \fB--private-key\fR,
23 \fB--certificate\fR, and \fB--ca-cert\fR options are mandatory when
27 \fBptcp:\fR[\fIport\fR]
28 Listens for TCP connections from remote OpenFlow switches on
29 \fIport\fR (default: 975).
33 Listens for connections from OpenFlow switches on the Unix domain
34 server socket named \fIfile\fR.
38 The local Netlink datapath numbered \fIdp_idx\fR, as configured with
40 This form requires that the local host has the OpenFlow kernel
41 module for Linux loaded.
44 \fBssl:\fIhost\fR[\fB:\fIport\fR]
45 The specified SSL \fIport\fR (default: 976) on the given remote
46 \fIhost\fR. The \fB--private-key\fR, \fB--certificate\fR, and
47 \fB--ca-cert\fR options are mandatory when this form is used.
50 \fBtcp:\fIhost\fR[\fB:\fIport\fR]
51 The specified TCP \fIport\fR (default: 975) on the given remote
56 The Unix domain server socket named \fIfile\fR.
60 \fB-p\fR, \fB--private-key=\fIprivkey.pem\fR
61 Specifies a PEM file containing the private key used as the switch's
62 identity for SSL connections to the controller.
65 \fB-c\fR, \fB--certificate=\fIcert.pem\fR
66 Specifies a PEM file containing a certificate, signed by the
67 controller's certificate authority (CA), that certifies the switch's
68 private key to identify a trustworthy switch.
71 \fB-C\fR, \fB--ca-cert=\fIswitch-cacert.pem\fR
72 Specifies a PEM file containing the CA certificate used to verify that
73 the switch is connected to a trustworthy controller.
76 \fB--peer-ca-cert=\fIcontroller-cacert.pem\fR
77 Specifies a PEM file that contains one or more additional certificates
78 to send to switches. \fIcontroller-cacert.pem\fR should be the CA
79 certificate used to sign the controller's own certificate (the
80 certificate specified on \fB-c\fR or \fB--certificate\fR).
82 This option is not useful in normal operation, because the switch must
83 already have the controller CA certificate for it to have any
84 confidence in the controller's identity. However, this option allows
85 a newly installed switch to obtain the controller CA certificate on
86 first boot using, e.g., the \fB--bootstrap-ca-cert\fR option to
90 .BR \-n ", " \-\^\-noflow
91 By default, the controller sets up a flow in each OpenFlow switch
92 whenever it receives a packet whose destination is known due through
93 MAC learning. This option disables flow setup, so that every packet
94 in the network passes through the controller.
96 This option is most useful for debugging. It reduces switching
97 performance, so it should not be used in production.
100 \fB--max-idle=\fIsecs\fR|\fBpermanent\fR
101 Sets \fIsecs\fR as the number of seconds that a flow set up by the
102 controller will remain in the switch's flow table without any matching
103 packets being seen. If \fBpermanent\fR is specified, which is not
104 recommended, flows will never expire. The default is 60 seconds.
106 This option affects only flows set up by the OpenFlow controller. In
107 some configurations, the OpenFlow secure channel can set up some flows
108 on its own. To set the idle time for those flows, pass
109 \fB--max-idle\fR to \fBsecchan\fR(8).
111 This option has no effect when \fB-n\fR (or \fB--noflow\fR) is in use
112 (because the controller does not set up flows in that case).
115 .BR \-H ", " \-\^\-hub
116 By default, the controller acts as an L2 MAC-learning switch. This
117 option changes its behavior to that of a hub that floods packets on
118 all but the incoming port.
120 If \fB-H\fR (or \fB--hub\fR) and \fB-n\fR (or \fB--noflow\fR) are used
121 together, then the cumulative effect is that every packet passes
122 through the controller and every packet is flooded.
124 This option is most useful for debugging. It reduces switching
125 performance, so it should not be used in production.
128 \fB-P\fR[\fIpidfile\fR], \fB--pidfile\fR[\fB=\fIpidfile\fR]
129 Causes a file (by default, \fBcontroller.pid\fR) to be created indicating
130 the PID of the running process. If \fIpidfile\fR is not specified, or
131 if it does not begin with \fB/\fR, then it is created in
135 \fB-f\fR, \fB--force\fR
136 By default, when \fB-P\fR or \fB--pidfile\fR is specified and the
137 specified pidfile already exists and is locked by a running process,
138 \fBcontroller\fR refuses to start. Specify \fB-f\fR or \fB--force\fR
139 to cause it to instead overwrite the pidfile.
141 When \fB-P\fR or \fB--pidfile\fR is not specified, this option has no
145 \fB-D\fR, \fB--detach\fR
146 Causes \fBcontroller\fR to detach itself from the foreground session and
147 run as a background process.
150 .BR \-h ", " \-\^\-help
151 Prints a brief help message to the console.
154 \fB-v\fImodule\fR[\fB:\fIfacility\fR[\fB:\fIlevel\fR]], \fB--verbose=\fImodule\fR[\fB:\fIfacility\fR[\fB:\fIlevel\fR]]
155 Sets the logging level for \fImodule\fR in \fIfacility\fR to
156 \fIlevel\fR. The \fImodule\fR may be any valid module name (as
157 displayed by the \fB--list\fR action on \fBvlogconf\fR(8)), or the
158 special name \fBANY\fR to set the logging levels for all modules. The
159 \fIfacility\fR may be \fBsyslog\fR or \fBconsole\fR to set the levels
160 for logging to the system log or to the console, respectively, or
161 \fBANY\fR to set the logging levels for both facilities. If it is
162 omitted, \fIfacility\fR defaults to \fBANY\fR. The \fIlevel\fR must
163 be one of \fBemer\fR, \fBerr\fR, \fBwarn\fR, or \fBdbg\fR, designating
164 the minimum severity of a message for it to be logged. If it is
165 omitted, \fIlevel\fR defaults to \fBdbg\fR.
168 \fB-v\fR, \fB--verbose\fR
169 Sets the maximum logging verbosity level, equivalent to
170 \fB--verbose=ANY:ANY:dbg\fR.
173 .BR \-V ", " \-\^\-version
174 Prints version information to the console.
179 To connect directly to local datapath 0 over netlink (Linux only):
184 To bind locally to port 975 (the default) and wait for incoming connections from OpenFlow switches:
186 .B % controller ptcp: